up2date for testing (with apt/yum/dir repo support)

Panu Matilainen pmatilai at welho.com
Sun Aug 17 14:17:23 UTC 2003


On Sun, 2003-08-17 at 17:12, Chris Kloiber wrote:
> On Sun, 2003-08-17 at 06:13, Panu Matilainen wrote:
> > On Sun, 2003-08-17 at 04:09, Chris Kloiber wrote:
> > 
> > > 
> > > A few little problems I noted, first was that the file sizes of any
> > > packages from an apt or yum repo are listed as '0', which made me
> > > hesitate to install from them until I verified I was getting real files.
> > > Second, it might be nice to have up2date offer to download the GPG-KEY
> > > from those apt and yum repos that support GPG, of course that might
> > > require mods to apt and yum first, or you could assume the GPG key to be
> > > at the same location as the repository. 
> > 
> > Note that apt itself doesn't understand about signed *packages*, that's
> > achieved with scripts (lua in Fedora's apt, others can be used as well).
> > Apt does however have notion of signed *repositories*, meaning the
> > package lists can be GPG-signed and verified from the release file in
> > the repo against GPG-fingerprints found in /etc/apt/vendors.list.
> > 
> > 	- Panu -
> 
> Well I meant the GPG-KEY that the packages were signed with for the
> purposes on not having up2date complain about them not having a "valid"
> (as in the local keyring has a copy) key so you don't have to click
> "yes" to continue all the time. Apt doesn't really need to know about
> the GPG key at all, (but it would be nice)

Sure, would be nice. Something to consider for the common repository
metadata thingy: how to find the GPG key(s) used to sign the packages in
repository X.

	- Panu -





More information about the devel mailing list